London, UK – February 11, 2025 – Hackers are getting faster, craftier, and harder to spot. Today, Huntress, the cybersecurity company purpose-built to protect businesses of all sizes, exposes their playbook with the Huntress 2025 Cyber Threat Report, an extensive analysis of hacker activity that draws insights from over three million endpoints across thousands of organisations. The report reveals how threat actors adapted their tradecraft throughout 2024, using sophisticated tools and techniques across industries to maximise efficiency and profits.
In 2024, the gap between attack sophistication on large and smaller businesses nearly disappeared. Hackers took the methods and strategies tested on larger companies and applied them to organisations of every size. Advanced evasion techniques—once exclusive to advanced persistent threats—became the new normal, including endpoint detection and response (EDR) tampering, bring your own vulnerable driver (BYOVD) privilege escalations, and User Account Control (UAC) bypasses.
The takedown of major ransomware groups like LockBit and Dharma didn’t slow down attacks either—it opened the door for smaller, more agile groups and rebranded operations. Among them, Lynx—which shares many similarities with and is widely believed to be a rebranding of INC ransomware—RansomHub, a sub-group of LockBit, and Akira all ramped up their activity significantly compared to 2023.
Over the past year, Huntress tracked ransomware incidents from Lynx, Akira, and RansomHub, with incidents from these groups increasing by 7.9%, 11.6%, and 15.3%, respectively. By giving affiliates higher percentage payouts, often reaching 80–90% of the ransom, and pursuing a quantity-over-quality approach, the three collectively accounted for 54% of all ransomware incidents observed by Huntress in 2024. These groups used ‘smash-and-grab’ tactics, quickly deploying ransomware, demanding payment, and hitting their goals with swift and efficient network infiltration to minimise dwell time and evade detection. While the average time-to-ransom (TTR)—the time from initial access to ransomware deployment—was shy of 17 hours, Akira and RansomHub’s came in around six hours, with Lynx not far behind at seven hours.
“Ransomware-as-a-Service (RaaS) groups like Lynx, Akira, and RansomHub have industrialized cybercrime, adopting a ‘quantity over quality’ approach to maximise profits. By providing affiliates with streamlined playbooks and toolkits, they’ve made launching attacks deceptively simple and incredibly lucrative,” said Greg Linares, Principal Threat Intelligence Analyst. “The rise of RaaS groups such as these has led to increased attacks on businesses of all sizes with sophisticated techniques, once reserved for attacks on large enterprises, now becoming commonplace.”
Key trends in the Huntress 2025 Cyber Threat Report include:
- Education, healthcare, and technology industries were top targets: Education was the most targeted industry by hackers in 2024, making up 21% of all attacks, followed by healthcare (17%) and technology (12%). Hackers used tactics like credential theft, abuse of remote monitoring and management (RMM) tools, and malicious updates disguised as legitimate software to infiltrate educational institutions. Education is often seen as an easy target due to a reliance on shared networks, outdated systems, and lower security budgets, combined with the wealth of sensitive data, like student records and research, that makes these institutions top targets. Beyond that, the potential to disrupt learning processes and administrative functions also puts schools and universities under intense pressure to resolve attacks quickly, often forcing them into ransom payments.
- Infostealers drove initial access and ransomware attacks: Infostealers accounted for nearly a quarter (24%) of all observed incidents, highlighting their role in harvesting credentials, financial data, and sensitive information. Even adware and other unwanted programs, once seen as harmless infections, now have infostealing features that take sensitive data, contributing to a rise in infostealer incidents. Threat actors like Initial Access Brokers (IABs) regularly use infostealers to sell access to businesses, grouping them based on what gets stolen and increasing prices based on the freshness of the data, type of data (like session tokens), and target. Some IABs cherry-pick high-value data to sell to ransomware groups, earning percentages of ransom payments as a finder’s fee.
- Hackers maximised efficiency with automation: The majority (87%) of attacks in 2024 were automated or helped by automated tools, with hackers using malware, scripts, and other automated methods to conduct widespread, low-effort campaigns efficiently. Once attackers got access, they moved to more focused hands-on-keyboard (HOK) activity, representing 13% of activity, where manual actions like lateral movement or domain enumeration were executed. HOK activity spiked in February, June, July, and November 2024, with activity most common between 12:00 UTC and 20:00 UTC—aligning with US East Coast business hours. This timing suggests attackers exploit normal business activity as a cover or need active devices and personnel for social engineering tactics.
- Phishing attacks grew more sophisticated: Phishing is still a key tool for initial access and reconnaissance, with attackers moving towards more sophisticated tactics like QR code phishing and Living Off Trusted Sites (LoTS). QR code phishing—where users are sent an email with a QR embedded that directs to a malicious site—accounted for 8.1% of phishing emails, while 7% involved LoTS, a tactic that abuses legitimate platforms to share malicious documents. These advanced techniques mark a shift toward more targeted and deceptive strategies designed to exploit trust and evade traditional email filters.
“Hacker tradecraft is evolving fast, with ransomware groups growing bolder, attacks becoming harder to detect, and phishing scams reaching new levels of sophistication,” added Jamie Levy, Director, Adversary Tactics. “To stay ahead, organisations need a well-rehearsed incident response plan, ongoing vulnerability assessments, timely patching, and security awareness training that actually sticks. Key controls like endpoint detection and response, network segmentation, and identity and access management are also critical to minimising risk. With ransomware deployed within hours of initial access, taking proactive steps now is essential to minimising the impact of a breach.”
Additional resources:
- Get your copy of the Huntress 2025 Cyber Threat Report for insights on ransomware strategies, hacker activity, common tools and techniques, and more.
- Register for the webinar, “Breaking Down The Huntress 2025 Threat Report” on March 3, 2025, for insights from our experts on the latest cyber trends, shady tactics, and tradecraft we exposed in the Huntress 2025 Cyber Threat Report.
- Learn how Huntress protects endpoints, identities, and more with managed detection, investigation, and response.
- Read the Huntress Blog to stay updated on the latest tradecraft and tips to protect your business.
